quasar | 15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95

Analysis

max time kernel
148s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2klz.exe
Size

3.1MB
MD5

01cb0e497f40e7d02f93255475f175e1
SHA1

98c779497d6514b91cd1410f627a5320f6b3eab5
SHA256

15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95
SHA512

fc81504089f520935d95e98ea867faf3dcc44b2399c418fea95f193c45584d72730868ce4362beef4adc5f9a89c008da1fc7a529a35a6cc7803d0ca15f386ef9
SSDEEP

49152:TvalL26AaNeWgPhlmVqvMQ7XSKKGRJ69bR3LoGdEMgTHHB72eh2NT:TvCL26AaNeWgPhlmVqkQ7XSKKGRJ6PU

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Extazz24535-22930.portmap.host:22930

Mutex

89f58ee5-7af9-42de-843f-2a331a641e3f

Attributes

encryption_key
CD4F349DEB46AEE10C2FE886E5B2BD7A766723CE
install_name
2klz.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral1/memory/2304-1-0x00000000011B0000-0x00000000014D4000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016c1a-6.dat	family_quasar
behavioral1/memory/1708-9-0x0000000000BA0000-0x0000000000EC4000-memory.dmp	family_quasar
behavioral1/memory/2976-33-0x0000000001120000-0x0000000001444000-memory.dmp	family_quasar
behavioral1/memory/1180-54-0x00000000000A0000-0x00000000003C4000-memory.dmp	family_quasar
behavioral1/memory/2856-65-0x0000000000FF0000-0x0000000001314000-memory.dmp	family_quasar
behavioral1/memory/2452-76-0x00000000002B0000-0x00000000005D4000-memory.dmp	family_quasar
behavioral1/memory/1700-87-0x0000000001030000-0x0000000001354000-memory.dmp	family_quasar
behavioral1/memory/2844-108-0x0000000000370000-0x0000000000694000-memory.dmp	family_quasar
behavioral1/memory/2300-120-0x0000000000FE0000-0x0000000001304000-memory.dmp	family_quasar
behavioral1/memory/1164-141-0x0000000001340000-0x0000000001664000-memory.dmp	family_quasar

Executes dropped EXE 13 IoCs

pid	Process
1708	2klz.exe
2620	2klz.exe
2976	2klz.exe
1896	2klz.exe
1180	2klz.exe
2856	2klz.exe
2452	2klz.exe
1700	2klz.exe
2644	2klz.exe
2844	2klz.exe
2300	2klz.exe
2024	2klz.exe
1164	2klz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
656	PING.EXE
1332	PING.EXE
1612	PING.EXE
1408	PING.EXE
2104	PING.EXE
2828	PING.EXE
3060	PING.EXE
2956	PING.EXE
1928	PING.EXE
3028	PING.EXE
2892	PING.EXE
2288	PING.EXE
1688	PING.EXE

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

pid	Process
1408	PING.EXE
2892	PING.EXE
2104	PING.EXE
2828	PING.EXE
3060	PING.EXE
1688	PING.EXE
2956	PING.EXE
656	PING.EXE
1928	PING.EXE
1332	PING.EXE
1612	PING.EXE
3028	PING.EXE
2288	PING.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	2klz.exe
Token: SeDebugPrivilege	1708	2klz.exe
Token: SeDebugPrivilege	2620	2klz.exe
Token: SeDebugPrivilege	2976	2klz.exe
Token: SeDebugPrivilege	1896	2klz.exe
Token: SeDebugPrivilege	1180	2klz.exe
Token: SeDebugPrivilege	2856	2klz.exe
Token: SeDebugPrivilege	2452	2klz.exe
Token: SeDebugPrivilege	1700	2klz.exe
Token: SeDebugPrivilege	2644	2klz.exe
Token: SeDebugPrivilege	2844	2klz.exe
Token: SeDebugPrivilege	2300	2klz.exe
Token: SeDebugPrivilege	2024	2klz.exe
Token: SeDebugPrivilege	1164	2klz.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
1708	2klz.exe
2620	2klz.exe
2976	2klz.exe
1896	2klz.exe
1180	2klz.exe
2856	2klz.exe
2452	2klz.exe
1700	2klz.exe
2644	2klz.exe
2844	2klz.exe
2300	2klz.exe
2024	2klz.exe
1164	2klz.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
1708	2klz.exe
2620	2klz.exe
2976	2klz.exe
1896	2klz.exe
1180	2klz.exe
2856	2klz.exe
2452	2klz.exe
1700	2klz.exe
2644	2klz.exe
2844	2klz.exe
2300	2klz.exe
2024	2klz.exe
1164	2klz.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1708	2klz.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 1708	2304	2klz.exe	31
PID 2304 wrote to memory of 1708	2304	2klz.exe	31
PID 2304 wrote to memory of 1708	2304	2klz.exe	31
PID 1708 wrote to memory of 2752	1708	2klz.exe	32
PID 1708 wrote to memory of 2752	1708	2klz.exe	32
PID 1708 wrote to memory of 2752	1708	2klz.exe	32
PID 2752 wrote to memory of 2780	2752	cmd.exe	34
PID 2752 wrote to memory of 2780	2752	cmd.exe	34
PID 2752 wrote to memory of 2780	2752	cmd.exe	34
PID 2752 wrote to memory of 2956	2752	cmd.exe	35
PID 2752 wrote to memory of 2956	2752	cmd.exe	35
PID 2752 wrote to memory of 2956	2752	cmd.exe	35
PID 2752 wrote to memory of 2620	2752	cmd.exe	36
PID 2752 wrote to memory of 2620	2752	cmd.exe	36
PID 2752 wrote to memory of 2620	2752	cmd.exe	36
PID 2620 wrote to memory of 2324	2620	2klz.exe	37
PID 2620 wrote to memory of 2324	2620	2klz.exe	37
PID 2620 wrote to memory of 2324	2620	2klz.exe	37
PID 2324 wrote to memory of 2680	2324	cmd.exe	39
PID 2324 wrote to memory of 2680	2324	cmd.exe	39
PID 2324 wrote to memory of 2680	2324	cmd.exe	39
PID 2324 wrote to memory of 656	2324	cmd.exe	40
PID 2324 wrote to memory of 656	2324	cmd.exe	40
PID 2324 wrote to memory of 656	2324	cmd.exe	40
PID 2324 wrote to memory of 2976	2324	cmd.exe	41
PID 2324 wrote to memory of 2976	2324	cmd.exe	41
PID 2324 wrote to memory of 2976	2324	cmd.exe	41
PID 2976 wrote to memory of 1152	2976	2klz.exe	42
PID 2976 wrote to memory of 1152	2976	2klz.exe	42
PID 2976 wrote to memory of 1152	2976	2klz.exe	42
PID 1152 wrote to memory of 852	1152	cmd.exe	44
PID 1152 wrote to memory of 852	1152	cmd.exe	44
PID 1152 wrote to memory of 852	1152	cmd.exe	44
PID 1152 wrote to memory of 1928	1152	cmd.exe	45
PID 1152 wrote to memory of 1928	1152	cmd.exe	45
PID 1152 wrote to memory of 1928	1152	cmd.exe	45
PID 1152 wrote to memory of 1896	1152	cmd.exe	46
PID 1152 wrote to memory of 1896	1152	cmd.exe	46
PID 1152 wrote to memory of 1896	1152	cmd.exe	46
PID 1896 wrote to memory of 2168	1896	2klz.exe	47
PID 1896 wrote to memory of 2168	1896	2klz.exe	47
PID 1896 wrote to memory of 2168	1896	2klz.exe	47
PID 2168 wrote to memory of 1504	2168	cmd.exe	49
PID 2168 wrote to memory of 1504	2168	cmd.exe	49
PID 2168 wrote to memory of 1504	2168	cmd.exe	49
PID 2168 wrote to memory of 1332	2168	cmd.exe	50
PID 2168 wrote to memory of 1332	2168	cmd.exe	50
PID 2168 wrote to memory of 1332	2168	cmd.exe	50
PID 2168 wrote to memory of 1180	2168	cmd.exe	51
PID 2168 wrote to memory of 1180	2168	cmd.exe	51
PID 2168 wrote to memory of 1180	2168	cmd.exe	51
PID 1180 wrote to memory of 688	1180	2klz.exe	52
PID 1180 wrote to memory of 688	1180	2klz.exe	52
PID 1180 wrote to memory of 688	1180	2klz.exe	52
PID 688 wrote to memory of 972	688	cmd.exe	54
PID 688 wrote to memory of 972	688	cmd.exe	54
PID 688 wrote to memory of 972	688	cmd.exe	54
PID 688 wrote to memory of 1612	688	cmd.exe	55
PID 688 wrote to memory of 1612	688	cmd.exe	55
PID 688 wrote to memory of 1612	688	cmd.exe	55
PID 688 wrote to memory of 2856	688	cmd.exe	56
PID 688 wrote to memory of 2856	688	cmd.exe	56
PID 688 wrote to memory of 2856	688	cmd.exe	56
PID 2856 wrote to memory of 1512	2856	2klz.exe	57

C:\Users\Admin\AppData\Local\Temp\2klz.exe
"C:\Users\Admin\AppData\Local\Temp\2klz.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\57ar5WU5ZtGB.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2780
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2956
  - - C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zup0elMFKg32.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2680
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:656
      - C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\s6bSercrX1On.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:852
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1928
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SQRWVNMoVSZ5.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1332
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0nOhryVsfPp7.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1612
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2EuPTX0VVDLM.bat" "
        13⤵
        
        PID:1512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2452
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3hzHkgsXpfUu.bat" "
        15⤵
        
        PID:880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1408
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1700
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FtgCx2gqpecn.bat" "
        17⤵
        
        PID:3044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2644
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HGloeVStvZlx.bat" "
        19⤵
        
        PID:3040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2104
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2844
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JZkSxd9V5c0G.bat" "
        21⤵
        
        PID:1920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2300
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fmnbFIBn8AcV.bat" "
        23⤵
        
        PID:1752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2024
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\K8U58aUvIKqo.bat" "
        25⤵
        
        PID:972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3060
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1164
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2RokvShW2cqd.bat" "
        27⤵
        
        PID:1540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0nOhryVsfPp7.bat

Filesize
205B

MD5
fef4888d2666ba83ef974619e6962d5b

SHA1
e0dbb594ef21c11ce85e5cc67ece9924a3bfb9eb

SHA256
a550bad2a67160184dde7a1d82c6df0061369d69b39ad516fbf365e3f3b7d5c6

SHA512
c5cc3bfffd1bb544116a3cbc1ad9bc2a313736054c2abec98583f709c9db8f0cb4d73a608372bc3c20cf7b0db7837ccd7cee2051cbd91af03f78b7898cb83ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EuPTX0VVDLM.bat

Filesize
205B

MD5
46ba0f5235c9ce89ab99a789e0bc3897

SHA1
10777b0fb6192517945312693b7211fc2d2ac610

SHA256
a1e33192ef0b0e39507b772e07f9eaee55219b9c7e6bc217d40c50d671a24ed6

SHA512
5c46806a1c06e8a3e066a5837eef0ccc6316fb053a516532041e75736028c0506a8cf37c662204a13a8d486c03d2c90b11244cacef61eeaf547efce7d2a6dc95

Download Submit
C:\Users\Admin\AppData\Local\Temp\2RokvShW2cqd.bat

Filesize
205B

MD5
c360bde818ae0dab539f7507e42a3709

SHA1
e8b31b3a095c8c65668129f81bebef9030f8a560

SHA256
715dd1022c3fdde6f2e242afcb435f9a15baa2e47b40abaab9337bd1be547d6c

SHA512
4931654a935e4553ca2b1057863d97ffaf7426fbf8e07152851b735fe1705ec4b1d356b12fb5a5a2d59ab6dcf0a00675c209ff498ae8f558c63d8cbe2ea0506b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3hzHkgsXpfUu.bat

Filesize
205B

MD5
552266362a06146e43ffc646379f856e

SHA1
0db70eb68d98a49b7a0613ac823db53f0a8b0d3b

SHA256
9955d63f1a85d2f642428f631dfa2503c9787b865e78b0353101016dfbfc585f

SHA512
44ab0fde7508d23ffea26db27678b671251a4d23ea3d09a96b76e54e80732a4114337b213a8703541af6e3da1517ab8dfe22c337a52423c1a67273ca09f66718

Download Submit
C:\Users\Admin\AppData\Local\Temp\57ar5WU5ZtGB.bat

Filesize
205B

MD5
60ca6e83231dd7c262ced0ddaec20a00

SHA1
9ba97f1892c44afd708ef43fe6c546cbaf9ff4c9

SHA256
824f75cf6d4003622102775c04e78f66e91c0078aa165f0cafd32ba5c63b6bd5

SHA512
ce82085e9a23b9a480632155e2d7892ff21669be4a0d864ef7f606013d36351e65f0d14d6479b42a3ec32c387ac9165dc28b8b6e6664da84d032142d1c604e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FtgCx2gqpecn.bat

Filesize
205B

MD5
ecd25b062634c1e42bff89538259bd7c

SHA1
9274dccfec7ab85af88ae5ce185533515de9ab00

SHA256
d7cbdb568c8c3735c5b84bc2ec8c815aaa51c6d74b49f636b5e36e27980532c5

SHA512
0ce78092994e02b4c38dba2b34957105125e9fa6f55c6f9722d76e65947db8a49638488d7bd4989b64b3b4d85947b660b2ce0e7e8d9e8d8d8ca6542dec8728a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGloeVStvZlx.bat

Filesize
205B

MD5
446ed010ef7bb65a966653839f39b432

SHA1
8c2089e85a69fdba7aa5af7030def402faa41c91

SHA256
d02bbdefe7d9d6cf8a1440dc14ba1689af3f13305a6124ca0622acee75d5da3a

SHA512
a069e3c04f1650fe1b429cd4fe14b7ac39dbb8ee8960dc0ce8a9b7a8dd1261f0fb7a230e3a3608b80b844fe98bcb11e5df5b4ea366a3ae0162a445c29d98b971

Download Submit
C:\Users\Admin\AppData\Local\Temp\JZkSxd9V5c0G.bat

Filesize
205B

MD5
7b413fa190888128b1261bf0dc013f68

SHA1
ce44b08895d7d4b0d0804cce1eefa50d02cc8a4c

SHA256
94e3552fd5da49b21b426bc3ec0846387d1233af96203bdcc3cde366dae93d5c

SHA512
e0516123e23acd2c9317ec70330dd0b15af189cbb1467c1fc26d1a60ea62eadbb771e592790ee2382193a3778138abf9ecd8a29954e291e8048411428cedba25

Download Submit
C:\Users\Admin\AppData\Local\Temp\K8U58aUvIKqo.bat

Filesize
205B

MD5
acb5b3d2f48ae1beb3e926a709dbde6d

SHA1
52bb8fc4bbe0bf878479bec1adbf403000df4dde

SHA256
2bfc4dd6be8da0e903a608ab52f7b181574d25da452f632097b3ccdd612817cf

SHA512
7bbc0accd97201980ab664b747867067a83f48e4287e964d84940e772a6c308c93a00876fa180eba3b2225432d95a1ee710f4b85cd353a1442ccf46a6d5ed36e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQRWVNMoVSZ5.bat

Filesize
205B

MD5
41c598b42b50685eea719978c77f1b8d

SHA1
29f87490a24a2deb5ff4abbaf22b28bcbf62f79a

SHA256
5bdfbde59731d095985178bcb56431a2c9b3494504ab8b38c8c40eb4f93d54b5

SHA512
e079e370bcf6a30bd95c4ff5d05cf4526dc3ceb3535aeed6a79265ce7ea937c34e6149a8efc2e6e9d227673e078bc8165a88e50e8cf54a97263a5483c8f5fd29

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmnbFIBn8AcV.bat

Filesize
205B

MD5
8fe0acf69c8eba02811fc201f24372cf

SHA1
8a7b8c8f3cd277b3cdc44277e30ca0974c40d9e3

SHA256
df62f9414d83648de002c0f5d04d524c61c5adb45eaa93d0f2233ee070a1da2a

SHA512
b9e46e1622bf75bdea58339cd2db5d3e703a46923889e6737861c23d019b8954e883d78a79ac160200752700c4287c9fa75cabbb0c471842f0cf21e1430c2cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\s6bSercrX1On.bat

Filesize
205B

MD5
d627e3e5629b6a2afd3b45c9dffe0d4a

SHA1
413ad98ac350054990911acc65183f5c78c90325

SHA256
69e46e3436cbb73466c51fe8aea893c906379305da2e400c098271e74532532a

SHA512
cf902b6a5c1bd4762136ef8d7e159aacfa0ae19daf4a8ab763addc2f04092f7f34bc4d6436b762b0fcfc1799f6cbf2b4704377bfb11b961d919ce88aabf1c4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\zup0elMFKg32.bat

Filesize
205B

MD5
fb26f89230e079dd90176c906ce524aa

SHA1
73facca0306c3012b2b5c5ab50174d7ef36e21fb

SHA256
7b36a1bad9b2d1793c17edae457e7bf292024e992acbae5c8f1367680291db1c

SHA512
7904b4cca879593b84566d98dfbe039decbc2c548a5b0cbb9ecfffc3ba589033dd749c0b9f59b475c407db6e3e8c5a9a817454a875a9942a5b38045e8b74cc7c

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe

Filesize
3.1MB

MD5
01cb0e497f40e7d02f93255475f175e1

SHA1
98c779497d6514b91cd1410f627a5320f6b3eab5

SHA256
15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95

SHA512
fc81504089f520935d95e98ea867faf3dcc44b2399c418fea95f193c45584d72730868ce4362beef4adc5f9a89c008da1fc7a529a35a6cc7803d0ca15f386ef9

Download Submit
memory/1164-141-0x0000000001340000-0x0000000001664000-memory.dmp

Filesize
3.1MB

Download
memory/1180-54-0x00000000000A0000-0x00000000003C4000-memory.dmp

Filesize
3.1MB

Download
memory/1700-87-0x0000000001030000-0x0000000001354000-memory.dmp

Filesize
3.1MB

Download
memory/1708-21-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/1708-10-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/1708-9-0x0000000000BA0000-0x0000000000EC4000-memory.dmp

Filesize
3.1MB

Download
memory/1708-11-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2300-120-0x0000000000FE0000-0x0000000001304000-memory.dmp

Filesize
3.1MB

Download
memory/2304-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/2304-8-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2304-2-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2304-1-0x00000000011B0000-0x00000000014D4000-memory.dmp

Filesize
3.1MB

Download
memory/2452-76-0x00000000002B0000-0x00000000005D4000-memory.dmp

Filesize
3.1MB

Download
memory/2844-108-0x0000000000370000-0x0000000000694000-memory.dmp

Filesize
3.1MB

Download
memory/2856-65-0x0000000000FF0000-0x0000000001314000-memory.dmp

Filesize
3.1MB

Download
memory/2976-33-0x0000000001120000-0x0000000001444000-memory.dmp

Filesize
3.1MB

Download